1. Using Oracle WebLogic Server for OKE
  2. Manage WebLogic Domains in Verrazzano
  3. Create a WebLogic Domain
  4. Prerequisites to Create a Domain

Prerequisites to Create a Domain

Complete the prerequisites before you create a domain.

Required Tasks

Create Policies for the Dynamic Group

Create policies in Oracle Cloud Infrastructure so that the compute instances in Oracle WebLogic Server for OKE with Verrazzano can access your encryption key.

When you create a stack with Verrazzano, depending on your custom setup, compute instances in Oracle WebLogic Server for OKE need to access specific components in Oracle Cloud Infrastructure.

If you are creating a stack with Verrazzano that uses custom OCI DNS, then the following sample policy grants access to the OCI DNS:
Allow dynamic-group MyInstancesPrincipalGroup to inspect dns-zones in compartment id DNS_Zone_CompartmentID
Allow dynamic-group MyInstancesPrincipalGroup to use dns-zones in compartment id DNS_Zone_CompartmentID where target.dns-zone.id='<dns_zone_ocid>'
Allow dynamic-group MyInstancesPrincipalGroup to manage dns-records in compartment id DNS_Zone_CompartmentID where target.dns-zone.id='<dns_zone_ocid>'
If you are creating a stack with Verrazzano that uses OCI private DNS and a new VCN, then the following sample policy grants access to the required resources:
Allow dynamic-group MyInstancesPrincipalGroup to inspect vcns in compartment id NetworkCompartmentID where target.vcn.id='<vcn_id>'
Allow dynamic-group MyInstancesPrincipalGroup to use dns-resolvers in compartment id NetworkCompartmentID where target.dns-resolver.display-name='<label_prefix-vcn>'
Allow dynamic-group MyInstancesPrincipalGroup to inspect dns-views in compartment id DNS_Zone_CompartmentID
If you are creating a stack with Verrazzano that uses custom CA, then the following sample policy grants access to the Custom CA certificates:
Allow dynamic-group MyInstancesPrincipalGroup to read secret-bundles in tenancy where target.secret.id = '<custom_ca_cert_secret_ocid>'
Allow dynamic-group MyInstancesPrincipalGroup to read secret-bundles in tenancy where target.secret.id = '<custom_ca_signing_key_secret_ocid>'
If you are creating a stack with Verrazzano that uses OCIR repository, then the following sample policy grants access to the OCIR repository:
Allow dynamic-group MyInstancesPrincipalGroup to manage repos in compartment id OCI_Identity_CompartmentID

See these topics in the Oracle Cloud Infrastructure documentation:

Validate Existing Network Setup

You can use helper scripts from the Oracle Cloud Infrastructure Cloud shell to certify the existing network setup (existing VCN and existing WebLogic Server subnet) in Oracle WebLogic Server for OKE. See Using Cloud Shell in Oracle Cloud Infrastructure documentation.

The helper scripts perform the following validations and functions:

  • Validates if the service gateway or the NAT gateway is created for the administration instance private subnet and the worker nodes private subnets.

  • Validates if internet gateway is created for public bastion, file shared system and load balancer subnets.

  • Checks if port 22 in WebLogic Server Subnet is open for access to the CIDR of the bastion instance subnet or bastion host IP.

  • Checks if the private subnet for the Oracle WebLogic Server compute instances using the service gateway route rule has All <Region> Services In Oracle Services Network as the destination.

  • Checks if the existing subnet for the load balancer has a security list that enables inbound access to ports 80 and 443.

  • Validates if all protocols are open in private subnet for Kubernetes worker node for the Worker CIDR range.

  • Validates if all protocols are open in private subnet for Kubernetes worker node for the VCN CIDR range.

  • Validates if the file shared system has a security list that enables outbound access to ports 111 and 2048 (both TCP and UDP).

  • Validates if the database port is accessible from WebLogic Server subnets.

Using the Validation Script

You can run the helper scripts to perform validations for existing private subnets, existing public subnets, and existing VCN peered subnets.

You must run the commands on the validation script file to check the existing network setup. For example, in this case, let's run the commands on the validation script file named validateoke.sh. See Script File To Validate Network Setup to create the validateoke.sh file.
  1. Set execute permission to the validateoke.sh file.

    chmod +x validateoke.sh

  2. Run the following command prior to creating a domain:

    • Basic domain

      ./validateoke.sh -b <Bastion Subnet OCID> -a <Administration Host Subnet OCID> -w <Worker Subnet OCID> -f <File Shared System Subnet OCID> -l <Load Balancer Subnet OCID>

    Note:

    If you restricted the bastion compute instance to access port 22 in WebLogic subnet, you can validate using the Bastion Host IP CIDR rather than the entire bastion subnet CIDR.

    ./validateoke.sh -b <Bastion Subnet OCID> -i <Bastion Host IP CIDR> -a <Administration Host Subnet OCID> -w <Worker Subnet OCID> -f <File Shared System Subnet OCID> -l <Load Balancer Subnet OCID>

An example of validateoke.sh command to check the existing WebLogic Server subnet (and optionally database subnet) network setup when the required ports, gateways are missing in the existing VCN and existing subnets:
example_user@cloudshell:~ (us-phoenix-1)$ ./validateoke.sh -b <Bastion Subnet OCID> 
-a <Administration Host Subnet OCID> -w <Worker Subnet OCID> -f <File Shared System Subnet OCID> 
-l <Load Balancer Subnet OCID>
ERROR: SSH port 22 is not open for access by [0.0.0.0/0] in <Bastion Subnet OCID>
WARNING: SSH port 22 is not open for access by Bastion Subnet CIDR [10.0.0.0/24] in private Admin Host Subnet [<Administration Host Subnet OCID>]
ERROR: Missing Service or NAT gateway in the VCN of the private ADMIN_SUBNET Host subnet ocid [<Administration Host Subnet OCID>]
WARNING: Missing internet gateway in the VCN of the BASTION_SUBNET subnet [<Bastion Subnet OCID>]
WARNING: Missing internet gateway in the VCN of the LB_SUBNET subnet [<Load Balancer Subnet OCID>]
WARNING: Missing internet gateway in the VCN of the FSS_SUBNET_OCID subnet [<File Shared System Subnet OCID>]
WARNING: For LB CIDR - Ports are not open in Workers Subnet CIDR 31474
WARNING: For LB CIDR - Ports are not open in Workers Subnet CIDR 10256
WARNING: For LB CIDR - Ports are not open in Workers Subnet CIDR 31804
WARNING: All Ports are not open for LB Subnet CIDR
WARNING: All Ports are not open for LB Subnet CIDR
WARNING: All Ports are not open for LB Subnet CIDR
ERROR: All Protocols are not open for WORKER's Subnet CIDR
ERROR: All Protocols are not open in WORKER's Subnet for VCN CIDR
ERROR: TCP -- 111 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2048 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2049 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2050 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 111 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2048 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2049 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2050 -- Port is not open in FSS Subnet for VCN CIDR